Secrets App

Simple web application made while learning authentication and security.

6 Levels of security were implemented starting from basic comparison of plain text from database to OAuth 2.0 and Google authentication.

Installation

Install my-project with npm
First make a local copy of the project
MongoDB server instance required running at PORT : 27017

  > Git CLI
    gh repo clone D3N2-A/Secrets-App

  > npm i 
  cd /path

  > mongod 
  > nodemon app.js

Level 1 _{Plain text}

This method simply compares the user entered password in with plain text pass stored in database

user.findOne({ em: req.body.username }, (err, foundUser) => {
    if (!err) {
      if (foundUser) {
        if (foundUser.pwd === req.body.password) {
          res.render("secrets");
        }
      }
    } else {
      console.log(err);
    }
  });

Level 2 _{Key-encryption}

This method mongoose-encryption to automatically encrypt and decrypt password and strores secret key in form of enviornment variable.

userSchema.plugin(encrypt, { secret: secret, encryptedFields: ["pwd"] });

Level 3 _Hashing

This method stores passwords in form of md5 hashes in database and and then compares input password by converting into md5.

  user.findOne({ em: req.body.username }, (err, foundUser) => {
    if (!err) {
      if (foundUser) {
        if (foundUser.pwd === md5(req.body.password)) {
          res.render("secrets");
        }
      }
    } else {
      console.log(err);
    }
  });

Level 4 _{Hashing + Salting}

This method uses advanced hashing method bcrypt for hashing and salting multiple times.

> bcrypt.hash(req.body.password, 13, (err, hash)=>{
  //Storing password into DB
};

> user.findOne({ em: req.body.username }, (err, foundUser) => {
    if (!err) {
      if (foundUser) {
        bcrypt.compare(
          req.body.password,
          foundUser.pwd,
          function (err, result) {
            if (result) {
              res.render("secrets");
            }else{
              res.send("WRONG PASSWWORDDD!!!")
            }
          }
        );
      }
    } else {
      console.log(err);
    }
  });

Level 5 _🍪

(passport, passport-local-mongoose)

This method uses passport js for authentication processes such as salting, hashing, registration, authentication and ending user session.

> userSchema.plugin(passportLocalMongoose); 
  //saltiing and hashing

> user.register(
    { username: req.body.username, active: false },
    req.body.password,
    function (err, user) {
      if (err) {
        console.log(err);
        res.render("register");
      } else {
        passport.authenticate("local")(req, res, () => {
          res.redirect("/secrets");
        });
      }
    }
  );

  > req.login(user, function (err) {
    if (err) {
      console.log(err);
      res.redirect("/login");
    } else {
      passport.authenticate("local")(req, res, () => {
        res.redirect("/secrets");
      });

Level 6 _{OAuth 2.0}

(passport,passport-google-oauth2, passport-local-mongoose ,mongoose-findorcreate)

This method uses passport js for authentication processes such as salting, hashing, registration, authentication and ending user session.

> passport.use(
  new GoogleStrategy(
    {
      clientID: process.env.CLIENT_ID,
      clientSecret: process.env.CLIENT_SECRET,
      callbackURL: "http://localhost:3000/auth/google/secrets",
      passReqToCallback: true,
    },
    function (request, accessToken, refreshToken, profile, done) {
      user.findOrCreate({ googleId: profile.id }, function (err, user) {
        return done(err, user);
      });
    }
  )
);

> const tr = new user({
    username: req.body.username,
    password: req.body.password,
  });
  req.login(tr, function (err) {
    if (err) {
      console.log(err);
      res.redirect("/login");
    } else {
      passport.authenticate("local")(req, res, () => {
        res.redirect("/secrets");
      });
    }
  }); //login method

Author

• @D3N2